<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
 <head>
  <meta http-equiv="content-type" content="text/html; charset=UTF-8">
  <title>Prepared Statements</title>
<link media="all" rel="stylesheet" type="text/css" href="styles/03e73060321a0a848018724a6c83de7f-theme-base.css" />
<link media="all" rel="stylesheet" type="text/css" href="styles/03e73060321a0a848018724a6c83de7f-theme-medium.css" />

 </head>
 <body class="docs"><div class="navbar navbar-fixed-top">
  <div class="navbar-inner clearfix">
    <ul class="nav" style="width: 100%">
      <li style="float: left;"><a href="mysqli.quickstart.statements.html">« Executing statements</a></li>
      <li style="float: right;"><a href="mysqli.quickstart.stored-procedures.html">Stored Procedures »</a></li>
    </ul>
  </div>
</div>
<div id="breadcrumbs" class="clearfix">
  <ul class="breadcrumbs-container">
    <li><a href="index.html">PHP Manual</a></li>
    <li><a href="mysqli.quickstart.html">Quick start guide</a></li>
    <li>Prepared Statements</li>
  </ul>
</div>
<div id="layout">
  <div id="layout-content"><div id="mysqli.quickstart.prepared-statements" class="section">
  <h2 class="title">Prepared Statements</h2>
  <p class="para">
   The MySQL database supports prepared statements. A prepared statement
   or a parameterized statement is used to execute the same statement
   repeatedly with high efficiency and protect against SQL injections.
  </p>
  <p class="para">
   <em class="emphasis">Basic workflow</em>
  </p>
  <p class="para">
   The prepared statement execution consists of two stages:
   prepare and execute. At the prepare stage a statement template is sent
   to the database server. The server performs a syntax check and initializes
   server internal resources for later use.
  </p>
  <p class="para">
   The MySQL server supports using anonymous, positional placeholder
   with <code class="literal">?</code>.
  </p>
  <p class="para">
   Prepare is followed by execute. During execute the client binds
   parameter values and sends them to the server. The server executes
   the statement with the bound values using the previously created internal resources.
  </p>
  <p class="para">
   <div class="example" id="example-1421">
    <p><strong>示例 #1 Prepared statement</strong></p>
    <div class="example-contents">
<div class="phpcode"><code><span style="color: #000000">
<span style="color: #0000BB">&lt;?php<br /><br />mysqli_report</span><span style="color: #007700">(</span><span style="color: #0000BB">MYSQLI_REPORT_ERROR&nbsp;</span><span style="color: #007700">|&nbsp;</span><span style="color: #0000BB">MYSQLI_REPORT_STRICT</span><span style="color: #007700">);<br /></span><span style="color: #0000BB">$mysqli&nbsp;</span><span style="color: #007700">=&nbsp;new&nbsp;</span><span style="color: #0000BB">mysqli</span><span style="color: #007700">(</span><span style="color: #DD0000">"example.com"</span><span style="color: #007700">,&nbsp;</span><span style="color: #DD0000">"user"</span><span style="color: #007700">,&nbsp;</span><span style="color: #DD0000">"password"</span><span style="color: #007700">,&nbsp;</span><span style="color: #DD0000">"database"</span><span style="color: #007700">);<br /><br /></span><span style="color: #FF8000">/*&nbsp;Non-prepared&nbsp;statement&nbsp;*/<br /></span><span style="color: #0000BB">$mysqli</span><span style="color: #007700">-&gt;</span><span style="color: #0000BB">query</span><span style="color: #007700">(</span><span style="color: #DD0000">"DROP&nbsp;TABLE&nbsp;IF&nbsp;EXISTS&nbsp;test"</span><span style="color: #007700">);<br /></span><span style="color: #0000BB">$mysqli</span><span style="color: #007700">-&gt;</span><span style="color: #0000BB">query</span><span style="color: #007700">(</span><span style="color: #DD0000">"CREATE&nbsp;TABLE&nbsp;test(id&nbsp;INT,&nbsp;label&nbsp;TEXT)"</span><span style="color: #007700">);<br /><br /></span><span style="color: #FF8000">/*&nbsp;Prepared&nbsp;statement,&nbsp;stage&nbsp;1:&nbsp;prepare&nbsp;*/<br /></span><span style="color: #0000BB">$stmt&nbsp;</span><span style="color: #007700">=&nbsp;</span><span style="color: #0000BB">$mysqli</span><span style="color: #007700">-&gt;</span><span style="color: #0000BB">prepare</span><span style="color: #007700">(</span><span style="color: #DD0000">"INSERT&nbsp;INTO&nbsp;test(id,&nbsp;label)&nbsp;VALUES&nbsp;(?,&nbsp;?)"</span><span style="color: #007700">);<br /><br /></span><span style="color: #FF8000">/*&nbsp;Prepared&nbsp;statement,&nbsp;stage&nbsp;2:&nbsp;bind&nbsp;and&nbsp;execute&nbsp;*/<br /></span><span style="color: #0000BB">$id&nbsp;</span><span style="color: #007700">=&nbsp;</span><span style="color: #0000BB">1</span><span style="color: #007700">;<br /></span><span style="color: #0000BB">$label&nbsp;</span><span style="color: #007700">=&nbsp;</span><span style="color: #DD0000">'PHP'</span><span style="color: #007700">;<br /></span><span style="color: #0000BB">$stmt</span><span style="color: #007700">-&gt;</span><span style="color: #0000BB">bind_param</span><span style="color: #007700">(</span><span style="color: #DD0000">"is"</span><span style="color: #007700">,&nbsp;</span><span style="color: #0000BB">$id</span><span style="color: #007700">,&nbsp;</span><span style="color: #0000BB">$label</span><span style="color: #007700">);&nbsp;</span><span style="color: #FF8000">//&nbsp;"is"&nbsp;means&nbsp;that&nbsp;$id&nbsp;is&nbsp;bound&nbsp;as&nbsp;an&nbsp;integer&nbsp;and&nbsp;$label&nbsp;as&nbsp;a&nbsp;string<br /><br /></span><span style="color: #0000BB">$stmt</span><span style="color: #007700">-&gt;</span><span style="color: #0000BB">execute</span><span style="color: #007700">();</span>
</span>
</code></div>
    </div>

   </div>
  </p>
  <p class="para">
   <em class="emphasis">Repeated execution</em>
  </p>
  <p class="para">
   A prepared statement can be executed repeatedly. Upon every execution
   the current value of the bound variable is evaluated and sent to the server.
   The statement is not parsed again. The statement template is not
   transferred to the server again.
  </p>
  <p class="para">
   <div class="example" id="example-1422">
    <p><strong>示例 #2 INSERT prepared once, executed multiple times</strong></p>
    <div class="example-contents">
<div class="phpcode"><code><span style="color: #000000">
<span style="color: #0000BB">&lt;?php<br /><br />mysqli_report</span><span style="color: #007700">(</span><span style="color: #0000BB">MYSQLI_REPORT_ERROR&nbsp;</span><span style="color: #007700">|&nbsp;</span><span style="color: #0000BB">MYSQLI_REPORT_STRICT</span><span style="color: #007700">);<br /></span><span style="color: #0000BB">$mysqli&nbsp;</span><span style="color: #007700">=&nbsp;new&nbsp;</span><span style="color: #0000BB">mysqli</span><span style="color: #007700">(</span><span style="color: #DD0000">"example.com"</span><span style="color: #007700">,&nbsp;</span><span style="color: #DD0000">"user"</span><span style="color: #007700">,&nbsp;</span><span style="color: #DD0000">"password"</span><span style="color: #007700">,&nbsp;</span><span style="color: #DD0000">"database"</span><span style="color: #007700">);<br /><br /></span><span style="color: #FF8000">/*&nbsp;Non-prepared&nbsp;statement&nbsp;*/<br /></span><span style="color: #0000BB">$mysqli</span><span style="color: #007700">-&gt;</span><span style="color: #0000BB">query</span><span style="color: #007700">(</span><span style="color: #DD0000">"DROP&nbsp;TABLE&nbsp;IF&nbsp;EXISTS&nbsp;test"</span><span style="color: #007700">);<br /></span><span style="color: #0000BB">$mysqli</span><span style="color: #007700">-&gt;</span><span style="color: #0000BB">query</span><span style="color: #007700">(</span><span style="color: #DD0000">"CREATE&nbsp;TABLE&nbsp;test(id&nbsp;INT,&nbsp;label&nbsp;TEXT)"</span><span style="color: #007700">);<br /><br /></span><span style="color: #FF8000">/*&nbsp;Prepared&nbsp;statement,&nbsp;stage&nbsp;1:&nbsp;prepare&nbsp;*/<br /></span><span style="color: #0000BB">$stmt&nbsp;</span><span style="color: #007700">=&nbsp;</span><span style="color: #0000BB">$mysqli</span><span style="color: #007700">-&gt;</span><span style="color: #0000BB">prepare</span><span style="color: #007700">(</span><span style="color: #DD0000">"INSERT&nbsp;INTO&nbsp;test(id,&nbsp;label)&nbsp;VALUES&nbsp;(?,&nbsp;?)"</span><span style="color: #007700">);<br /><br /></span><span style="color: #FF8000">/*&nbsp;Prepared&nbsp;statement,&nbsp;stage&nbsp;2:&nbsp;bind&nbsp;and&nbsp;execute&nbsp;*/<br /></span><span style="color: #0000BB">$stmt</span><span style="color: #007700">-&gt;</span><span style="color: #0000BB">bind_param</span><span style="color: #007700">(</span><span style="color: #DD0000">"is"</span><span style="color: #007700">,&nbsp;</span><span style="color: #0000BB">$id</span><span style="color: #007700">,&nbsp;</span><span style="color: #0000BB">$label</span><span style="color: #007700">);&nbsp;</span><span style="color: #FF8000">//&nbsp;"is"&nbsp;means&nbsp;that&nbsp;$id&nbsp;is&nbsp;bound&nbsp;as&nbsp;an&nbsp;integer&nbsp;and&nbsp;$label&nbsp;as&nbsp;a&nbsp;string<br /><br /></span><span style="color: #0000BB">$data&nbsp;</span><span style="color: #007700">=&nbsp;[<br />&nbsp;&nbsp;&nbsp;&nbsp;</span><span style="color: #0000BB">1&nbsp;</span><span style="color: #007700">=&gt;&nbsp;</span><span style="color: #DD0000">'PHP'</span><span style="color: #007700">,<br />&nbsp;&nbsp;&nbsp;&nbsp;</span><span style="color: #0000BB">2&nbsp;</span><span style="color: #007700">=&gt;&nbsp;</span><span style="color: #DD0000">'Java'</span><span style="color: #007700">,<br />&nbsp;&nbsp;&nbsp;&nbsp;</span><span style="color: #0000BB">3&nbsp;</span><span style="color: #007700">=&gt;&nbsp;</span><span style="color: #DD0000">'C++'<br /></span><span style="color: #007700">];<br />foreach&nbsp;(</span><span style="color: #0000BB">$data&nbsp;</span><span style="color: #007700">as&nbsp;</span><span style="color: #0000BB">$id&nbsp;</span><span style="color: #007700">=&gt;&nbsp;</span><span style="color: #0000BB">$label</span><span style="color: #007700">)&nbsp;{<br />&nbsp;&nbsp;&nbsp;&nbsp;</span><span style="color: #0000BB">$stmt</span><span style="color: #007700">-&gt;</span><span style="color: #0000BB">execute</span><span style="color: #007700">();<br />}<br /><br /></span><span style="color: #0000BB">$result&nbsp;</span><span style="color: #007700">=&nbsp;</span><span style="color: #0000BB">$mysqli</span><span style="color: #007700">-&gt;</span><span style="color: #0000BB">query</span><span style="color: #007700">(</span><span style="color: #DD0000">'SELECT&nbsp;id,&nbsp;label&nbsp;FROM&nbsp;test'</span><span style="color: #007700">);<br /></span><span style="color: #0000BB">var_dump</span><span style="color: #007700">(</span><span style="color: #0000BB">$result</span><span style="color: #007700">-&gt;</span><span style="color: #0000BB">fetch_all</span><span style="color: #007700">(</span><span style="color: #0000BB">MYSQLI_ASSOC</span><span style="color: #007700">));</span>
</span>
</code></div>
    </div>

    <div class="example-contents"><p>以上例程会输出：</p></div>
    <div class="example-contents screen">
<div class="cdata"><pre>
array(3) {
  [0]=&gt;
  array(2) {
    [&quot;id&quot;]=&gt;
    string(1) &quot;1&quot;
    [&quot;label&quot;]=&gt;
    string(3) &quot;PHP&quot;
  }
  [1]=&gt;
  array(2) {
    [&quot;id&quot;]=&gt;
    string(1) &quot;2&quot;
    [&quot;label&quot;]=&gt;
    string(4) &quot;Java&quot;
  }
  [2]=&gt;
  array(2) {
    [&quot;id&quot;]=&gt;
    string(1) &quot;3&quot;
    [&quot;label&quot;]=&gt;
    string(3) &quot;C++&quot;
  }
}
</pre></div>
    </div>
   </div>
  </p>
  <p class="para">
   Every prepared statement occupies server resources.
   Statements should be closed explicitly immediately after use.
   If not done explicitly, the statement will be closed when the
   statement handle is freed by PHP.
  </p>
  <p class="para">
   Using a prepared statement is not always the most efficient
   way of executing a statement. A prepared statement executed only
   once causes more client-server round-trips than a non-prepared statement.
   This is why the <code class="literal">SELECT</code> is not run as a
   prepared statement above.
  </p>
  <p class="para">
   Also, consider the use of the MySQL multi-INSERT SQL syntax for INSERTs.
   For the example, multi-INSERT requires fewer round-trips between
   the server and client than the prepared statement shown above.
  </p>
  <p class="para">	
   <div class="example" id="example-1423">	
    <p><strong>示例 #3 Less round trips using multi-INSERT SQL</strong></p>	
    <div class="example-contents">
<div class="phpcode"><code><span style="color: #000000">
<span style="color: #0000BB">&lt;?php<br /><br />mysqli_report</span><span style="color: #007700">(</span><span style="color: #0000BB">MYSQLI_REPORT_ERROR&nbsp;</span><span style="color: #007700">|&nbsp;</span><span style="color: #0000BB">MYSQLI_REPORT_STRICT</span><span style="color: #007700">);<br /></span><span style="color: #0000BB">$mysqli&nbsp;</span><span style="color: #007700">=&nbsp;new&nbsp;</span><span style="color: #0000BB">mysqli</span><span style="color: #007700">(</span><span style="color: #DD0000">"example.com"</span><span style="color: #007700">,&nbsp;</span><span style="color: #DD0000">"user"</span><span style="color: #007700">,&nbsp;</span><span style="color: #DD0000">"password"</span><span style="color: #007700">,&nbsp;</span><span style="color: #DD0000">"database"</span><span style="color: #007700">);<br /><br /></span><span style="color: #0000BB">$mysqli</span><span style="color: #007700">-&gt;</span><span style="color: #0000BB">query</span><span style="color: #007700">(</span><span style="color: #DD0000">"DROP&nbsp;TABLE&nbsp;IF&nbsp;EXISTS&nbsp;test"</span><span style="color: #007700">);<br /></span><span style="color: #0000BB">$mysqli</span><span style="color: #007700">-&gt;</span><span style="color: #0000BB">query</span><span style="color: #007700">(</span><span style="color: #DD0000">"CREATE&nbsp;TABLE&nbsp;test(id&nbsp;INT)"</span><span style="color: #007700">);<br /><br /></span><span style="color: #0000BB">$values&nbsp;</span><span style="color: #007700">=&nbsp;[</span><span style="color: #0000BB">1</span><span style="color: #007700">,&nbsp;</span><span style="color: #0000BB">2</span><span style="color: #007700">,&nbsp;</span><span style="color: #0000BB">3</span><span style="color: #007700">,&nbsp;</span><span style="color: #0000BB">4</span><span style="color: #007700">];<br /><br /></span><span style="color: #0000BB">$stmt&nbsp;</span><span style="color: #007700">=&nbsp;</span><span style="color: #0000BB">$mysqli</span><span style="color: #007700">-&gt;</span><span style="color: #0000BB">prepare</span><span style="color: #007700">(</span><span style="color: #DD0000">"INSERT&nbsp;INTO&nbsp;test(id)&nbsp;VALUES&nbsp;(?),&nbsp;(?),&nbsp;(?),&nbsp;(?)"</span><span style="color: #007700">);<br /></span><span style="color: #0000BB">$stmt</span><span style="color: #007700">-&gt;</span><span style="color: #0000BB">bind_param</span><span style="color: #007700">(</span><span style="color: #DD0000">'iiii'</span><span style="color: #007700">,&nbsp;...</span><span style="color: #0000BB">$values</span><span style="color: #007700">);<br /></span><span style="color: #0000BB">$stmt</span><span style="color: #007700">-&gt;</span><span style="color: #0000BB">execute</span><span style="color: #007700">();</span>
</span>
</code></div>
    </div>
	
   </div>	
  </p>
  <p class="para">
   <em class="emphasis">Result set values data types</em>
  </p>
  <p class="para">
   The MySQL Client Server Protocol defines a different data transfer protocol
   for prepared statements and non-prepared statements. Prepared statements
   are using the so called binary protocol. The MySQL server sends result
   set data &quot;as is&quot; in binary format. Results are not serialized into
   strings before sending. Client libraries receive binary data and try to convert the values into
   appropriate PHP data types. For example, results from an SQL
   <code class="literal">INT</code> column will be provided as PHP integer variables.
  </p>
  <p class="para">
   <div class="example" id="example-1424">
    <p><strong>示例 #4 Native datatypes</strong></p>
    <div class="example-contents">
<div class="phpcode"><code><span style="color: #000000">
<span style="color: #0000BB">&lt;?php<br /><br />mysqli_report</span><span style="color: #007700">(</span><span style="color: #0000BB">MYSQLI_REPORT_ERROR&nbsp;</span><span style="color: #007700">|&nbsp;</span><span style="color: #0000BB">MYSQLI_REPORT_STRICT</span><span style="color: #007700">);<br /></span><span style="color: #0000BB">$mysqli&nbsp;</span><span style="color: #007700">=&nbsp;new&nbsp;</span><span style="color: #0000BB">mysqli</span><span style="color: #007700">(</span><span style="color: #DD0000">"example.com"</span><span style="color: #007700">,&nbsp;</span><span style="color: #DD0000">"user"</span><span style="color: #007700">,&nbsp;</span><span style="color: #DD0000">"password"</span><span style="color: #007700">,&nbsp;</span><span style="color: #DD0000">"database"</span><span style="color: #007700">);<br /><br /></span><span style="color: #FF8000">/*&nbsp;Non-prepared&nbsp;statement&nbsp;*/<br /></span><span style="color: #0000BB">$mysqli</span><span style="color: #007700">-&gt;</span><span style="color: #0000BB">query</span><span style="color: #007700">(</span><span style="color: #DD0000">"DROP&nbsp;TABLE&nbsp;IF&nbsp;EXISTS&nbsp;test"</span><span style="color: #007700">);<br /></span><span style="color: #0000BB">$mysqli</span><span style="color: #007700">-&gt;</span><span style="color: #0000BB">query</span><span style="color: #007700">(</span><span style="color: #DD0000">"CREATE&nbsp;TABLE&nbsp;test(id&nbsp;INT,&nbsp;label&nbsp;TEXT)"</span><span style="color: #007700">);<br /></span><span style="color: #0000BB">$mysqli</span><span style="color: #007700">-&gt;</span><span style="color: #0000BB">query</span><span style="color: #007700">(</span><span style="color: #DD0000">"INSERT&nbsp;INTO&nbsp;test(id,&nbsp;label)&nbsp;VALUES&nbsp;(1,&nbsp;'PHP')"</span><span style="color: #007700">);<br /><br /></span><span style="color: #0000BB">$stmt&nbsp;</span><span style="color: #007700">=&nbsp;</span><span style="color: #0000BB">$mysqli</span><span style="color: #007700">-&gt;</span><span style="color: #0000BB">prepare</span><span style="color: #007700">(</span><span style="color: #DD0000">"SELECT&nbsp;id,&nbsp;label&nbsp;FROM&nbsp;test&nbsp;WHERE&nbsp;id&nbsp;=&nbsp;1"</span><span style="color: #007700">);<br /></span><span style="color: #0000BB">$stmt</span><span style="color: #007700">-&gt;</span><span style="color: #0000BB">execute</span><span style="color: #007700">();<br /></span><span style="color: #0000BB">$result&nbsp;</span><span style="color: #007700">=&nbsp;</span><span style="color: #0000BB">$stmt</span><span style="color: #007700">-&gt;</span><span style="color: #0000BB">get_result</span><span style="color: #007700">();<br /></span><span style="color: #0000BB">$row&nbsp;</span><span style="color: #007700">=&nbsp;</span><span style="color: #0000BB">$result</span><span style="color: #007700">-&gt;</span><span style="color: #0000BB">fetch_assoc</span><span style="color: #007700">();<br /><br /></span><span style="color: #0000BB">printf</span><span style="color: #007700">(</span><span style="color: #DD0000">"id&nbsp;=&nbsp;%s&nbsp;(%s)\n"</span><span style="color: #007700">,&nbsp;</span><span style="color: #0000BB">$row</span><span style="color: #007700">[</span><span style="color: #DD0000">'id'</span><span style="color: #007700">],&nbsp;</span><span style="color: #0000BB">gettype</span><span style="color: #007700">(</span><span style="color: #0000BB">$row</span><span style="color: #007700">[</span><span style="color: #DD0000">'id'</span><span style="color: #007700">]));<br /></span><span style="color: #0000BB">printf</span><span style="color: #007700">(</span><span style="color: #DD0000">"label&nbsp;=&nbsp;%s&nbsp;(%s)\n"</span><span style="color: #007700">,&nbsp;</span><span style="color: #0000BB">$row</span><span style="color: #007700">[</span><span style="color: #DD0000">'label'</span><span style="color: #007700">],&nbsp;</span><span style="color: #0000BB">gettype</span><span style="color: #007700">(</span><span style="color: #0000BB">$row</span><span style="color: #007700">[</span><span style="color: #DD0000">'label'</span><span style="color: #007700">]));</span>
</span>
</code></div>
    </div>

    <div class="example-contents"><p>以上例程会输出：</p></div>
    <div class="example-contents screen">
<div class="cdata"><pre>
id = 1 (integer)
label = PHP (string)
</pre></div>
    </div>
   </div>
  </p>
  <p class="para">
   This behavior differs from non-prepared statements. By default,
   non-prepared statements return all results as strings.
   This default can be changed using a connection option.
   If the connection option is used, there are no differences.
  </p>
  <p class="para">
   <em class="emphasis">Fetching results using bound variables</em>
  </p>
  <p class="para">
   Results from prepared statements can either be retrieved by
   binding output variables, or by requesting a <span class="classname"><a href="class.mysqli-result.html" class="classname">mysqli_result</a></span> object.
  </p>
  <p class="para">
   Output variables must be bound after statement execution.
   One variable must be bound for every column of the statements result set.
  </p>
  <p class="para">
   <div class="example" id="example-1425">
    <p><strong>示例 #5 Output variable binding</strong></p>
    <div class="example-contents">
<div class="phpcode"><code><span style="color: #000000">
<span style="color: #0000BB">&lt;?php<br /><br />mysqli_report</span><span style="color: #007700">(</span><span style="color: #0000BB">MYSQLI_REPORT_ERROR&nbsp;</span><span style="color: #007700">|&nbsp;</span><span style="color: #0000BB">MYSQLI_REPORT_STRICT</span><span style="color: #007700">);<br /></span><span style="color: #0000BB">$mysqli&nbsp;</span><span style="color: #007700">=&nbsp;new&nbsp;</span><span style="color: #0000BB">mysqli</span><span style="color: #007700">(</span><span style="color: #DD0000">"example.com"</span><span style="color: #007700">,&nbsp;</span><span style="color: #DD0000">"user"</span><span style="color: #007700">,&nbsp;</span><span style="color: #DD0000">"password"</span><span style="color: #007700">,&nbsp;</span><span style="color: #DD0000">"database"</span><span style="color: #007700">);<br /><br /></span><span style="color: #FF8000">/*&nbsp;Non-prepared&nbsp;statement&nbsp;*/<br /></span><span style="color: #0000BB">$mysqli</span><span style="color: #007700">-&gt;</span><span style="color: #0000BB">query</span><span style="color: #007700">(</span><span style="color: #DD0000">"DROP&nbsp;TABLE&nbsp;IF&nbsp;EXISTS&nbsp;test"</span><span style="color: #007700">);<br /></span><span style="color: #0000BB">$mysqli</span><span style="color: #007700">-&gt;</span><span style="color: #0000BB">query</span><span style="color: #007700">(</span><span style="color: #DD0000">"CREATE&nbsp;TABLE&nbsp;test(id&nbsp;INT,&nbsp;label&nbsp;TEXT)"</span><span style="color: #007700">);<br /></span><span style="color: #0000BB">$mysqli</span><span style="color: #007700">-&gt;</span><span style="color: #0000BB">query</span><span style="color: #007700">(</span><span style="color: #DD0000">"INSERT&nbsp;INTO&nbsp;test(id,&nbsp;label)&nbsp;VALUES&nbsp;(1,&nbsp;'PHP')"</span><span style="color: #007700">);<br /><br /></span><span style="color: #0000BB">$stmt&nbsp;</span><span style="color: #007700">=&nbsp;</span><span style="color: #0000BB">$mysqli</span><span style="color: #007700">-&gt;</span><span style="color: #0000BB">prepare</span><span style="color: #007700">(</span><span style="color: #DD0000">"SELECT&nbsp;id,&nbsp;label&nbsp;FROM&nbsp;test&nbsp;WHERE&nbsp;id&nbsp;=&nbsp;1"</span><span style="color: #007700">);<br /></span><span style="color: #0000BB">$stmt</span><span style="color: #007700">-&gt;</span><span style="color: #0000BB">execute</span><span style="color: #007700">();<br /><br /></span><span style="color: #0000BB">$stmt</span><span style="color: #007700">-&gt;</span><span style="color: #0000BB">bind_result</span><span style="color: #007700">(</span><span style="color: #0000BB">$out_id</span><span style="color: #007700">,&nbsp;</span><span style="color: #0000BB">$out_label</span><span style="color: #007700">);<br /><br />while&nbsp;(</span><span style="color: #0000BB">$stmt</span><span style="color: #007700">-&gt;</span><span style="color: #0000BB">fetch</span><span style="color: #007700">())&nbsp;{<br />&nbsp;&nbsp;&nbsp;&nbsp;</span><span style="color: #0000BB">printf</span><span style="color: #007700">(</span><span style="color: #DD0000">"id&nbsp;=&nbsp;%s&nbsp;(%s),&nbsp;label&nbsp;=&nbsp;%s&nbsp;(%s)\n"</span><span style="color: #007700">,&nbsp;</span><span style="color: #0000BB">$out_id</span><span style="color: #007700">,&nbsp;</span><span style="color: #0000BB">gettype</span><span style="color: #007700">(</span><span style="color: #0000BB">$out_id</span><span style="color: #007700">),&nbsp;</span><span style="color: #0000BB">$out_label</span><span style="color: #007700">,&nbsp;</span><span style="color: #0000BB">gettype</span><span style="color: #007700">(</span><span style="color: #0000BB">$out_label</span><span style="color: #007700">));<br />}</span>
</span>
</code></div>
    </div>

    <div class="example-contents"><p>以上例程会输出：</p></div>
    <div class="example-contents screen">
<div class="cdata"><pre>
id = 1 (integer), label = PHP (string)
</pre></div>
    </div>
   </div>
  </p>
  <p class="para">
   Prepared statements return unbuffered result sets by default.
   The results of the statement are not implicitly fetched and transferred
   from the server to the client for client-side buffering. The result set
   takes server resources until all results have been fetched by the client.
   Thus it is recommended to consume results timely. If a client fails to fetch all
   results or the client closes the statement before having fetched all data,
   the data has to be fetched implicitly by <code class="literal">mysqli</code>.
  </p>
  <p class="para">
   It is also possible to buffer the results of a prepared statement
   using <span class="methodname"><a href="mysqli-stmt.store-result.html" class="methodname">mysqli_stmt::store_result()</a></span>.
  </p>
  <p class="para">
   <em class="emphasis">Fetching results using mysqli_result interface</em>
  </p>
  <p class="para">
   Instead of using bound results, results can also be retrieved through the
   mysqli_result interface. <span class="methodname"><a href="mysqli-stmt.get-result.html" class="methodname">mysqli_stmt::get_result()</a></span>
   returns a buffered result set.
  </p>
  <p class="para">
   <div class="example" id="example-1426">
    <p><strong>示例 #6 Using mysqli_result to fetch results</strong></p>
    <div class="example-contents">
<div class="phpcode"><code><span style="color: #000000">
<span style="color: #0000BB">&lt;?php<br /><br />mysqli_report</span><span style="color: #007700">(</span><span style="color: #0000BB">MYSQLI_REPORT_ERROR&nbsp;</span><span style="color: #007700">|&nbsp;</span><span style="color: #0000BB">MYSQLI_REPORT_STRICT</span><span style="color: #007700">);<br /></span><span style="color: #0000BB">$mysqli&nbsp;</span><span style="color: #007700">=&nbsp;new&nbsp;</span><span style="color: #0000BB">mysqli</span><span style="color: #007700">(</span><span style="color: #DD0000">"example.com"</span><span style="color: #007700">,&nbsp;</span><span style="color: #DD0000">"user"</span><span style="color: #007700">,&nbsp;</span><span style="color: #DD0000">"password"</span><span style="color: #007700">,&nbsp;</span><span style="color: #DD0000">"database"</span><span style="color: #007700">);<br /><br /></span><span style="color: #FF8000">/*&nbsp;Non-prepared&nbsp;statement&nbsp;*/<br /></span><span style="color: #0000BB">$mysqli</span><span style="color: #007700">-&gt;</span><span style="color: #0000BB">query</span><span style="color: #007700">(</span><span style="color: #DD0000">"DROP&nbsp;TABLE&nbsp;IF&nbsp;EXISTS&nbsp;test"</span><span style="color: #007700">);<br /></span><span style="color: #0000BB">$mysqli</span><span style="color: #007700">-&gt;</span><span style="color: #0000BB">query</span><span style="color: #007700">(</span><span style="color: #DD0000">"CREATE&nbsp;TABLE&nbsp;test(id&nbsp;INT,&nbsp;label&nbsp;TEXT)"</span><span style="color: #007700">);<br /></span><span style="color: #0000BB">$mysqli</span><span style="color: #007700">-&gt;</span><span style="color: #0000BB">query</span><span style="color: #007700">(</span><span style="color: #DD0000">"INSERT&nbsp;INTO&nbsp;test(id,&nbsp;label)&nbsp;VALUES&nbsp;(1,&nbsp;'PHP')"</span><span style="color: #007700">);<br /><br /></span><span style="color: #0000BB">$stmt&nbsp;</span><span style="color: #007700">=&nbsp;</span><span style="color: #0000BB">$mysqli</span><span style="color: #007700">-&gt;</span><span style="color: #0000BB">prepare</span><span style="color: #007700">(</span><span style="color: #DD0000">"SELECT&nbsp;id,&nbsp;label&nbsp;FROM&nbsp;test&nbsp;WHERE&nbsp;id&nbsp;=&nbsp;1"</span><span style="color: #007700">);<br /></span><span style="color: #0000BB">$stmt</span><span style="color: #007700">-&gt;</span><span style="color: #0000BB">execute</span><span style="color: #007700">();<br /><br /></span><span style="color: #0000BB">$result&nbsp;</span><span style="color: #007700">=&nbsp;</span><span style="color: #0000BB">$stmt</span><span style="color: #007700">-&gt;</span><span style="color: #0000BB">get_result</span><span style="color: #007700">();<br /><br /></span><span style="color: #0000BB">var_dump</span><span style="color: #007700">(</span><span style="color: #0000BB">$result</span><span style="color: #007700">-&gt;</span><span style="color: #0000BB">fetch_all</span><span style="color: #007700">(</span><span style="color: #0000BB">MYSQLI_ASSOC</span><span style="color: #007700">));</span>
</span>
</code></div>
    </div>

    <div class="example-contents"><p>以上例程会输出：</p></div>
    <div class="example-contents screen">
<div class="cdata"><pre>
array(1) {
  [0]=&gt;
  array(2) {
    [&quot;id&quot;]=&gt;
    int(1)
    [&quot;label&quot;]=&gt;
    string(3) &quot;PHP&quot;
  }
}
</pre></div>
    </div>
   </div>
  </p>
  <p class="para">
   Using the <span class="classname"><a href="class.mysqli-result.html" class="classname">mysqli_result</a></span> interface offers the additional benefit of
   flexible client-side result set navigation.
  </p>
  <p class="para">
   <div class="example" id="example-1427">
    <p><strong>示例 #7 Buffered result set for flexible read out</strong></p>
    <div class="example-contents">
<div class="phpcode"><code><span style="color: #000000">
<span style="color: #0000BB">&lt;?php<br /><br />mysqli_report</span><span style="color: #007700">(</span><span style="color: #0000BB">MYSQLI_REPORT_ERROR&nbsp;</span><span style="color: #007700">|&nbsp;</span><span style="color: #0000BB">MYSQLI_REPORT_STRICT</span><span style="color: #007700">);<br /></span><span style="color: #0000BB">$mysqli&nbsp;</span><span style="color: #007700">=&nbsp;new&nbsp;</span><span style="color: #0000BB">mysqli</span><span style="color: #007700">(</span><span style="color: #DD0000">"example.com"</span><span style="color: #007700">,&nbsp;</span><span style="color: #DD0000">"user"</span><span style="color: #007700">,&nbsp;</span><span style="color: #DD0000">"password"</span><span style="color: #007700">,&nbsp;</span><span style="color: #DD0000">"database"</span><span style="color: #007700">);<br /><br /></span><span style="color: #FF8000">/*&nbsp;Non-prepared&nbsp;statement&nbsp;*/<br /></span><span style="color: #0000BB">$mysqli</span><span style="color: #007700">-&gt;</span><span style="color: #0000BB">query</span><span style="color: #007700">(</span><span style="color: #DD0000">"DROP&nbsp;TABLE&nbsp;IF&nbsp;EXISTS&nbsp;test"</span><span style="color: #007700">);<br /></span><span style="color: #0000BB">$mysqli</span><span style="color: #007700">-&gt;</span><span style="color: #0000BB">query</span><span style="color: #007700">(</span><span style="color: #DD0000">"CREATE&nbsp;TABLE&nbsp;test(id&nbsp;INT,&nbsp;label&nbsp;TEXT)"</span><span style="color: #007700">);<br /></span><span style="color: #0000BB">$mysqli</span><span style="color: #007700">-&gt;</span><span style="color: #0000BB">query</span><span style="color: #007700">(</span><span style="color: #DD0000">"INSERT&nbsp;INTO&nbsp;test(id,&nbsp;label)&nbsp;VALUES&nbsp;(1,&nbsp;'PHP'),&nbsp;(2,&nbsp;'Java'),&nbsp;(3,&nbsp;'C++')"</span><span style="color: #007700">);<br /><br /></span><span style="color: #0000BB">$stmt&nbsp;</span><span style="color: #007700">=&nbsp;</span><span style="color: #0000BB">$mysqli</span><span style="color: #007700">-&gt;</span><span style="color: #0000BB">prepare</span><span style="color: #007700">(</span><span style="color: #DD0000">"SELECT&nbsp;id,&nbsp;label&nbsp;FROM&nbsp;test"</span><span style="color: #007700">);<br /></span><span style="color: #0000BB">$stmt</span><span style="color: #007700">-&gt;</span><span style="color: #0000BB">execute</span><span style="color: #007700">();<br /><br /></span><span style="color: #0000BB">$result&nbsp;</span><span style="color: #007700">=&nbsp;</span><span style="color: #0000BB">$stmt</span><span style="color: #007700">-&gt;</span><span style="color: #0000BB">get_result</span><span style="color: #007700">();<br /><br />for&nbsp;(</span><span style="color: #0000BB">$row_no&nbsp;</span><span style="color: #007700">=&nbsp;</span><span style="color: #0000BB">$result</span><span style="color: #007700">-&gt;</span><span style="color: #0000BB">num_rows&nbsp;</span><span style="color: #007700">-&nbsp;</span><span style="color: #0000BB">1</span><span style="color: #007700">;&nbsp;</span><span style="color: #0000BB">$row_no&nbsp;</span><span style="color: #007700">&gt;=&nbsp;</span><span style="color: #0000BB">0</span><span style="color: #007700">;&nbsp;</span><span style="color: #0000BB">$row_no</span><span style="color: #007700">--)&nbsp;{<br />&nbsp;&nbsp;&nbsp;&nbsp;</span><span style="color: #0000BB">$result</span><span style="color: #007700">-&gt;</span><span style="color: #0000BB">data_seek</span><span style="color: #007700">(</span><span style="color: #0000BB">$row_no</span><span style="color: #007700">);<br />&nbsp;&nbsp;&nbsp;&nbsp;</span><span style="color: #0000BB">var_dump</span><span style="color: #007700">(</span><span style="color: #0000BB">$result</span><span style="color: #007700">-&gt;</span><span style="color: #0000BB">fetch_assoc</span><span style="color: #007700">());<br />}</span>
</span>
</code></div>
    </div>

    <div class="example-contents"><p>以上例程会输出：</p></div>
    <div class="example-contents screen">
<div class="cdata"><pre>
array(2) {
  [&quot;id&quot;]=&gt;
  int(3)
  [&quot;label&quot;]=&gt;
  string(3) &quot;C++&quot;
}
array(2) {
  [&quot;id&quot;]=&gt;
  int(2)
  [&quot;label&quot;]=&gt;
  string(4) &quot;Java&quot;
}
array(2) {
  [&quot;id&quot;]=&gt;
  int(1)
  [&quot;label&quot;]=&gt;
  string(3) &quot;PHP&quot;
}
</pre></div>
    </div>
   </div>
  </p>
  <p class="para">
   <em class="emphasis">Escaping and SQL injection</em>
  </p>
  <p class="para">
   Bound variables are sent to the server separately from the query and thus
   cannot interfere with it. The server uses these values directly at the point
   of execution, after the statement template is parsed. Bound parameters do not
   need to be escaped as they are never substituted into the query string
   directly. A hint must be provided to the server for the type of bound
   variable, to create an appropriate conversion. 
   See the <span class="methodname"><a href="mysqli-stmt.bind-param.html" class="methodname">mysqli_stmt::bind_param()</a></span> function for more
   information.
  </p>
  <p class="para">
   Such a separation sometimes considered as the only security feature to
   prevent SQL injection, but the same degree of security can be achieved with
   non-prepared statements, if all the values are formatted correctly. It should
   be noted that correct formatting is not the same as escaping and involves
   more logic than simple escaping. Thus, prepared statements are simply a more
   convenient and less error-prone approach to this element of database security.
  </p>
  <p class="para">
   <em class="emphasis">Client-side prepared statement emulation</em>
  </p>
  <p class="para">
   The API does not include emulation for client-side prepared statement emulation.
  </p>
  <p class="para">
   <em class="emphasis">Quick comparison of prepared and non-prepared statements</em>
  </p>
  <p class="para">
   The table below compares server-side prepared and non-prepared statements.
  </p>
  <table id="mysqli.quickstart.prepared.comparison" class="doctable table">
   <caption><strong>Comparison of prepared and non-prepared statements</strong></caption>
   
    <thead>
     <tr>
      <th class="empty">&nbsp;</th>
      <th>Prepared Statement</th>
      <th>Non-prepared statement</th>
    </tr>

    </thead>

    <tbody class="tbody">
     <tr>
      <td>Client-server round trips, SELECT, single execution</td>
      <td>2</td>
      <td>1</td>
     </tr>

     <tr>
      <td>Statement string transferred from client to server</td>
      <td>1</td>
      <td>1</td>
     </tr>

     <tr>
      <td>Client-server round trips, SELECT, repeated (n) execution</td>
      <td>1 + n</td>
      <td>n</td>
     </tr>

     <tr>
      <td>Statement string transferred from client to server</td>
      <td>1 template, n times bound parameter, if any</td>
      <td>n times and parsed every time</td>
     </tr>

     <tr>
      <td>Input parameter binding API</td>
      <td>Yes</td>
      <td>No, manual input escaping</td>
     </tr>

     <tr>
      <td>Output variable binding API</td>
      <td>Yes</td>
      <td>No</td>
     </tr>

     <tr>
      <td>Supports use of mysqli_result API</td>
      <td>Yes, use <span class="methodname"><a href="mysqli-stmt.get-result.html" class="methodname">mysqli_stmt::get_result()</a></span></td>
      <td>Yes</td>
     </tr>

     <tr>
      <td>Buffered result sets</td>
      <td>
       Yes, use <span class="methodname"><a href="mysqli-stmt.get-result.html" class="methodname">mysqli_stmt::get_result()</a></span> or
       binding with <span class="methodname"><a href="mysqli-stmt.store-result.html" class="methodname">mysqli_stmt::store_result()</a></span>
      </td>
      <td>Yes, default of <span class="methodname"><a href="mysqli.query.html" class="methodname">mysqli::query()</a></span></td>
     </tr>

     <tr>
      <td>Unbuffered result sets</td>
      <td>Yes, use output binding API</td>
      <td>
       Yes, use <span class="methodname"><a href="mysqli.real-query.html" class="methodname">mysqli::real_query()</a></span> with
       <span class="methodname"><a href="mysqli.use-result.html" class="methodname">mysqli::use_result()</a></span>
      </td>
     </tr>

     <tr>
      <td>MySQL Client Server protocol data transfer flavor</td>
      <td>Binary protocol</td>
      <td>Text protocol</td>
     </tr>

     <tr>
      <td>Result set values SQL data types</td>
      <td>Preserved when fetching</td>
      <td>Converted to string or preserved when fetching</td>
     </tr>

     <tr>
      <td>Supports all SQL statements</td>
      <td>Recent MySQL versions support most but not all</td>
      <td>Yes</td>
     </tr>

    </tbody>
   
  </table>

  <p class="para">
   <em class="emphasis">See also</em>
  </p>
  <p class="para">
   <ul class="simplelist">
    <li class="member"><span class="methodname"><a href="mysqli.construct.html" class="methodname">mysqli::__construct()</a></span></li>
    <li class="member"><span class="methodname"><a href="mysqli.query.html" class="methodname">mysqli::query()</a></span></li>
    <li class="member"><span class="methodname"><a href="mysqli.prepare.html" class="methodname">mysqli::prepare()</a></span></li>
    <li class="member"><span class="methodname"><a href="mysqli-stmt.prepare.html" class="methodname">mysqli_stmt::prepare()</a></span></li>
    <li class="member"><span class="methodname"><a href="mysqli-stmt.execute.html" class="methodname">mysqli_stmt::execute()</a></span></li>
    <li class="member"><span class="methodname"><a href="mysqli-stmt.bind-param.html" class="methodname">mysqli_stmt::bind_param()</a></span></li>
    <li class="member"><span class="methodname"><a href="mysqli-stmt.bind-result.html" class="methodname">mysqli_stmt::bind_result()</a></span></li>
   </ul>
  </p>
 </div></div></div></body></html>